1. Field of the Invention
This invention relates generally to information security and more particularly to a system and method for implementing security management using a database-modeled security policy.
2. Description of the Background Art
Information security in the context of enterprise intranets and connections to internets focuses on three fundamental goals: confidentiality, integrity, and availability. Confidentiality relates to the need of insuring that information does not get into the wrong hands. Integrity relates to insuring that the information does not change states unless authorized. Availability relates to insuring that the wrong people do not get to the information but that the right people can. Traditionally, security policies have been entombed in paper manuscripts that are static documents conventionally relegated to the shelves of those responsible for observing the policies outlined therein. Further, changes to the security policy require the insertion and/or substitution of various pages of the policy. Insuring that maintenance of an up-to-date policy thus becomes an unwieldy task in an organization of any substantial size.
Information security management in the context of today's networked systems is more than installing burglar alarms and monitoring doors. Information security administrators have to manage and coordinate the implementation of diverse tools and technologies tailored to assure the attainment of security information goals. The various tools must be deployed and their use coordinated to properly maximize their usefulness. A further requirement of modern security information systems is the need to provide meaningful metrics and reporting. In the dynamic environment in which the security information administrator must function, the need to audit and report on the use of software and hardware tools, new systems, new resources, discontinued resources, mergers, etc. is very difficult. A further consideration of the security information administrator is the management of resources. Resource allocation to maximize the usefulness of the various resources is critical. Additionally, resource allocation must be productive to justify the investment.
The prior art takes a combination of various technologies, for example spreadsheet and database technologies and various utilities, and under management of the security information administrator, seeks to manage the different aspects of information security. None of the described technologies are specifically designed to manage the number of resources involved in modern information security. A further limitation of the paper policy is that dynamic searches are not enabled. For example, if it is desired to find the sections of the policy related to firewall administration, a search through the policy must be conducted manually. Additionally, as the management of the security policy is an ongoing process, data generated by the various resources used is not conveniently analyzable by the available resources.
It is technically possible to break the security policy into sections; however, security policies are notorious for having numerous appendices that are constantly referenced throughout the policy. This makes the task of categorizing the various functions and roles assigned in the policy a very time-consuming and difficult task. This situation leads to the current practice of giving every user in the enterprise the entire policy whereas the entire policy should only be accessible by the information security administrator. A measure of access control is lost by this implementation in that every user has knowledge of every other user's roles and responsibilities.
In the administration and management of a security policy, it is of utmost importance that the security information administrator be able to plan for, execute to maximize, and measure the effectiveness of the security policy. Prior art methods of accomplishing these goals fail to adequately meet these needs. A security information system must be able to assign roles to various users within the enterprise, schedule the performance of assigned tasks and dynamically assign users to new/additional roles/tasks. Furthermore, confirmation that the task was performed is required.